Decrypting TLS in Wireshark - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
If Wireshark knows the session key of a TLS session (the symmetric that gets created) it can decode encrypted TLS packets.
Systems can store these keys in a logfile if the SSLKEYLOGFILE environmental variable is set. Some browsers (Chrome and Firefox) will look for this variable and store the keys there.
Tell Windows to create the Log File
- On your Windows VM, go to system properties --> Environment Variables
- Create a new System variable:
- variable name:
SSLKEYLOGFILE - variable value: `c:\users\champuser\sslkeylog.log
- variable name:
TROUBLESHOOTING: Once I created my variable, the log file was not created. To solve this I had to browse to an HTTPS site on a browser, since the purpose of the file is to log SSL connections.
Test Logging
- Kill all running instances of any browser (if any)
- Open Chrome and go to any HTTPS website
- Look in Windows Explorer for logfile you created above
- Open in Notepad; you should see some key info recorded
- Do not go on to the next step until you see key data
- Close the .log file
Configure Wireshark
- Open up Wireshark > Edit > Preferences
- Click on Protocols and browse to TLS
- Under Pre Master Secret Log File - browse to the file you created above
Restart Wireshark
- Start a capture
- Browse to https://192.168.4.243 until you see its page display
- stop capture
- View results and filter on IP address above
- Can you find the GETs and Responses decrypted? Can you see the content?
Post a screenshot of the keys in your SSL KeyLog file and post a screenshot of decrypted SSL packet in Wireshark with the super secret phrase!
the log file contains the information for one connections. Once another connection is started it will be overridden with the new connection!